Introduction
APX is an autonomous security testing platform. Its AI agent, Cipher, reasons like an attacker — exploring targets, chaining vulnerabilities, and producing verified exploits with reproducible proof.
Security testing has historically required either expensive consultants or specialized tools that only security engineers can operate. Pentests cost thousands of dollars, take weeks to schedule, and deliver a PDF full of jargon that developers struggle to act on. Scanners are faster but noisy — hundreds of alerts, most false positives, none with real proof. Both leave you dependent on someone else to tell you what's wrong and whether your fix actually worked.
Cipher eliminates that dependency. Any developer or engineering lead can scope an assessment, run it, and get back findings written in plain English — with business impact, step-by-step attack descriptions, and a reproducible exploit script you can run yourself to see the vulnerability firsthand. When you fix something, you verify it instantly with a single click instead of scheduling another engagement. When Cipher gets something wrong, you correct it directly — no email threads, no waiting. The entire cycle from "is this secure?" to "yes, verified" happens on your timeline, not a consultant's.
What Cipher Tests
Cipher covers four attack surfaces, each mapped to an industry-recognized framework:
| Type | What you provide | Framework |
|---|---|---|
| API | REST / GraphQL URLs | OWASP API Security Top 10 (2023) |
| Web | Web application URLs | OWASP Top 10:2025 |
| Mobile | iOS Bundle ID / Android Package Name | OWASP MASVS v2.1.0 |
| Network | IP addresses / CIDR ranges | PTES v1.1 |
You can combine multiple types in a single project. See What Does Each Assessment Cover? for the full breakdown.
How It Works
1. Create a project
A project is the isolation boundary — your data, credentials, and findings are contained within it and never cross over. Name your project to get started.
2. Define scope
Choose assessment types, add targets (URLs, app IDs, or IP ranges), upload documentation (e.g., OpenAPI specs, Postman collections), and add login credentials so Cipher has the context it needs. See How to Scope Effectively for best practices.
3. Pay and run
Each assessment is $999 — pay via Stripe or organization credits. Once paid, start your project and begin testing.
4. Review assumptions
During testing, Cipher makes assumptions about your system's design intent — for example, "each user's orders are private to that user." These assumptions are surfaced explicitly for your review. If Cipher assumed wrong (maybe sharing orders across users is an intentional business decision), you reject the assumption and affected findings are automatically re-evaluated. No full retest, no wasted time triaging false positives.
The old way: Implicit assumptions become false positives in a final PDF — discovered weeks later, requiring back-and-forth and potentially another engagement to retest.
The APX way: Assumptions are transparent and correctable in minutes.
5. Review findings
Cipher produces verified findings, each with severity, business impact, attack steps, and remediation guidance. Findings include reproducible proof — not scanner noise.
6. Download report
Generate a compliance-ready PDF report, branded with your company's (or your client's) name and logo.
7. Fix and retest
No back-and-forth with a pentester — everything is self-service with results in minutes:
- Retest findings — verify your fixes with a single click
- Report false positives — flag findings that aren't real vulnerabilities
- Dispute severity — request a severity change if you disagree
Repeat steps 5–7 until clean, then regenerate your report.
Need Help?
- Discord Community — Ask questions
- Email Support — Technical assistance